Tor Project boosts Onion sites' defense against DoS attacks

The developers behind one of the most secure browsers around, the Tor Project, have just increased the security of its onion sites against cyberattacks.

Onion services are sites that can be accessed only by using the Tor browser. However, while seeking to maximize users' privacy online, their technical design has also made these more vulnerable to DoS (denial-of-service) attacks.

That's why the team added its latest version a new proof-of-work (PoW) defense to prioritize verified network traffic and deter attackers. Let's see how this works in practice.

Proof-of-Work defense for onion services

As the provider explains in a blog post, "Tor's PoW defense is a dynamic and reactive mechanism, remaining dormant under normal use conditions to ensure a seamless user experience, but when an onion service is under stress, the mechanism will prompt incoming client connections to perform a number of successively more complex operations. The onion service will then prioritize these connections based on the effort level demonstrated by the client."

The need for such an additional tool comes from the fact that when an IP address gets obfuscated, connections are more likely to be seen as illegitimate. This makes DoS attackers' duties, whose aim is making a machine or network inaccessible, even easier to accomplish.

This is why the Tor Project team devised a PoW mechanism involving a client puzzle to prevent DoS attacks from happening, without affecting user privacy. Simply put, it "blocks attackers while giving real users a chance to reach their destination."

This process acts as a ticket system which is turned off by default and gets triggered when it reveals some stress on the network. For attackers, who make a huge number of connection attempts to an onion service, this means a way greater computational effort. While users will barely notice such a process most of the time.